Editor’s Note: Critical infrastructure companies will need: 1) clear guidelines on what does and does not need to be reported in event of a data security breach; and 2) security from federal action and from third-party lititgation for companies which follow reporting guidelines.
From: Wall Street Journal
Rachael King
A new government regulation should have CIOs on guard. In 2013, defense contractors will be required to start telling the government when its systems are hacked. It was one of many cybersecurity requirements outlined in the $633 billion National Defense Authorization Act that President Obama signed on January 3. Previously, disclosure was voluntary and encouraged. The act gives the Department of Defense 90 days to establish procedures for defense contractors to disclose cyber breaches. Defense contractors will eventually need to report breaches, the tools attackers used to steal sensitive government information and the impact to Department of Defense data. It’s unclear what penalty will be doled out to companies that fail to participate.
The disclosure rules are a sign that the government is starting to crack down on companies who don’t willingly disclose cyber breaches. The Security and Exchange Commission, for example, gave companies disclosure guidelines in October 2011, but by June 2012 many companies weren’t reporting breaches, saying they were immaterial, reported Reuters. Dmitri Alperovitch, founder and chief technology officer of security tech firm CrowdStrike Inc. told Reuters one defense contractor that lost intellectual property to China didn’t disclose the breach.
In 2012, the SEC sent letters to a number of companies asking them to include cyber intrusions in earnings reports including Amazon.com Inc. Google Inc American International Group Inc. , Hartford Financial Services Group Inc., reported Bloomberg in August.
The SEC guidelines lack teeth but with the NDAA’s passage, CIOs will need to be ready for the possibility that disclosure will be legislated. For CIOs it’s not just a matter of reporting intrusions, but also knowing when their companies have been attacked in the first place. About 92% of cyber breaches are reported to companies by third parties, according to the 2012 Verizon Data Breach Investigations report.
The NDAA goes into effect after Senate Republicans last November shot down a bill that would have created mechanisms for sharing cyberthreat information between government and businesses as well as required critical infrastructure operators to notify the government when they have been attacked. The demise of the Cyber Security Act of 2012 may ultimately result in President Obama signing an executive order on the issue.
Aside from disclosure requirements, the NDAA also instructs the Defense Department to “develop a strategy to acquire next-generation host-based cybersecurity tools and capabilities,” and to engage in secure software development, reports InformationWeek.
Leave a Reply